This article discusses the default certificate trust behavior and configuration options.
Default behavior
By default, BW trusts an entity’s certificate only if any intermediate CA certificates and the root CA certificate in the certificate chain are placed in the Trusted Certificates folder in the project or in the location specified in the global variable BW_GLOBAL_TRUSTED_CA_STORE.
For example, consider the following server certificate chain.
Server certificate -
Subject: CN=Server
Issuer: CN=IntermediateCA
Intermediate CA certificate -
Subject: CN=IntermediateCA
Issuer: CN=RootCA
Root CA certificate -
Subject: CN=RootCA
Issuer: CN=RootCA
For BW to trust the server certificate, both the intermediate CA certificate and the root CA certificate must be placed in the Trusted Certificates folder.
Sample SSL debug log -
Successful validation when having both the certificates in the Trusted Certificates folder
validating certificate chain
looking in datastore for certificate with DN CN=IntermediateCA
match found
looking in datastore for certificate with DN CN=RootCA
match found
chain length: 3
chain verifies ok
Failed validation when having only the root CA certificate in the Trusted Certificates folder
validating certificate chain
looking in datastore for certificate with DN CN=IntermediateCA
No match found
CA certificate with issuer CN=RootCA and serial number 1A43 CF9E is not a trusted certificate
server chain validation failed: com.tibco.security.AXSecurityException: CA certificate with issuer CN=RootCA and serial number 1A43 CF9E is not a trusted certificate
Failed validation when having only the intermediate CA certificate in the Trusted Certificates folder
validating certificate chain
looking in datastore for certificate with DN CN=IntermediateCA
match found
looking in datastore for certificate with DN CN=RootCA
No match found
CA certificate with issuer CN=RootCA and serial number 7565 AF8F is not a trusted certificate
server chain validation failed: com.tibco.security.AXSecurityException: CA certificate with issuer CN=RootCA and serial number 7565 AF8F is not a trusted certificate
Configuring BW to not require that every CA certificate in the chain be trusted
The property com.tibco.security.NoExplicitCAChain can be used to control the certificate trust behavior in BW. When the property is set to true, BW trusts an entity’s certificate if the entity’s certificate or any of the intermediate certificates or the root CA certificate in the server certificate chain is placed in the Trusted Certificates folder.
With reference to the aforementioned certificate chain, when the property is set to true, BW trusts the server certificate if any one of the three certificates is available in the Trusted Certificates folder.
How to add the property
Add the property as follows to the deployed application .tra file/designer.tra file.
java.property.com.tibco.security.NoExplicitCAChain=true
Recommended Comments
There are no comments to display.
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now